Splunk Add-on for AWS: Does this add-on support Se...

bhavesh91 · ‎11-08-2017

Hi ,
We encrypted Kinesis stream : https://aws.amazon.com/blogs/aws/new-server-side-encryption-for-amazon-kinesis-streams/ using Server Sided Encryption. We then have the Splunk Addon for AWS with the IAM instance profile role which has the decrypt for the KMS but when we look at the logs to see if its flowing or not , we are not seeing any logs coming in - does Splunk Add-on for AWS supports the decryption of the encrypted Kinesis stream records?

mreynov_splunk · ‎11-16-2017

I believe it should, the key is to include "kms:Decrypt" in the permission policy:
http://docs.splunk.com/Documentation/AddOns/released/AWS/ConfigureAWSpermissions

sloshburch · ‎11-15-2017

Hmmm, it sounds like you did things right. Does it work when the Kinesis stream is not encrypted?

The only thing I see sounds like you already ready it: http://docs.splunk.com/Documentation/AddOns/released/AWS/ConfigureAWS#Configure_Kinesis

amiracle · ‎11-15-2017

According to our docs mentioned above:

Note: "The Kinesis data input only supports gzip compression or plaintext data. It cannot ingest data with other encodings, nor can it ingest data with a mix of gzip and plaintext in the same input. Create separate Kinesis inputs for gzip data and plaintext data."

So it looks like we do not have a way to read encrypted Kinesis streams with the current Add-on.

Splunk Add-on for AWS: Does this add-on support Server Side Encryption/ Decryption of Kinesis stream?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases